Publications

| Cyber-Security, Privacy and Data Protection
November 27th, 2017

In an article published in Calcalist, Adv. Sagit Amit-Evan, specializing in international M&A and capital markets, explains the connection between the heightened focus on cyber risks and M&A transactions, reviewing, among others, the intensifying due diligence examinations, potential adjustments to enterprise valuation and changes in risk allocation among the parties. For further reading:

In an article published in Calcalist, Adv. Sagit Amit-Evan, specializing in international M&A and capital markets, explains the connection between the heightened focus on cyber risks and M&A transactions, reviewing, among others, the intensifying due diligence examinations, potential adjustments to enterprise valuation and changes in risk allocation among the parties. For further reading:

July 2nd, 2017

In an op-ed published in The Marker, Adv. Assaf Harel reviews Israel's new privacy regulations that impose comprehensive cyber-security requirements on organizations that collect or hold personal data. The article was published as part of Tel Aviv University's 2017 Cyber Week. For further reading (Hebrew):

March 16th, 2017

Israel Anti-Trust Authority issued a draft opinion on information sharing for cybersecurity. Partners Timor Belan, Avner Finkelshtein and associates Assaf Harel and Shira Plotnik review attributes of the draft.  

Israeli Anti-Trust Authority Issues New Draft Opinion on Information Sharing for Cybersecurity Purposes*

Growing cybersecurity threats require businesses to take various measures to protect their systems, including by sharing information with other businesses - even competitors - to facilitate better evaluation of existing threats and to promote the protection of computer-based systems. However, the sharing of information among competitors may also be considered prohibited under anti-trust laws. In this context, and given the value of information sharing as a measure for promoting cyber-security, Israel’s Anti-Trust Authority (the “IAA”) has recently published a draft opinion (the “Draft Opinion”) that is meant to clarify the boundaries for the sharing of cyber-related information among competitors.
According to the Draft Opinion, sharing of information that is not related to business activities, but solely to cyber-security threats (for example, information on system vulnerabilities, or indications of possible cyber events), is not likely to limit competition, and may even promote it, by assisting all competitors to overcome cyber-attacks and to maintain functioning and protected systems. Accordingly, the Draft Opinion states that the IAA would not view such information sharing as a measure that restricts or reduces competition.
The Draft Opinion further states that due to the contribution that access to security-related data could provide to a company’s ability to address cyber-security threats, the prevention of access to cyber-security data sharing systems, without reasonable justification, may negatively affect competition.
The Draft Opinion is open for public comments until April 5, 2017


Download as PDF

For further information please contact:
Timor Belan (partner), Avner Finkelshtein (partner), Assaf Harel or Shira Plotnik

*This client update is designed to provide general information only, is not a full or complete analysis of the matters presented, and may not be relied upon as legal advice.

August 4th, 2016

Timor Belan (Partner) and Assaf Harel regarding the need of new and updated cyber regulations and privacy laws.

The rise in the use of technologies that collect our personal data on a widespread and regular basis, combined with an increase in cyber-attacks on entities that collect and store such data are creating a significant threat to individual privacy worldwide. As a result, countries around the world have responded by updating their cyber regulations and privacy laws. While Israel is a global front-runner in the development of defensive cyber technologies, its legal framework pertaining to the protection of personal data appears to be outdated and insufficient in addressing contemporary threats to data privacy.

 

Israel’s regulatory efforts in the area of cyber-security, in the last couple of years, have been focused on two main objectives – (1) regulating cyber-security within governmental entities or regulated entities; and (2) regulating the provision of cyber-security services and products.
The Government of Israel has been working to promote cyber-resilience in the public sector. Government Resolution No. 2443, dated February 15, 2015, aims to do so by forming a new governmental cyber authority, allocating a cyber-security budget and imposing new cyber-related requirements on Government offices. In this context, the Government is working to establish a national CERT (Cyber Event Readiness Team), which will provide cyber-related support and guidance to entities in both the public and private sectors, as well as a Security Operations Center (SOC), which will be an intelligence-based entity focusing mainly on the protection of Government offices. Simultaneously, various Government regulators have been imposing cyber-related obligations on a growing group of regulated entities. For example, in September 2015 the Supervisor of the Banks issued a cyber-security directive to banks and credit card companies. The Director of the Capital Market, Insurance and Savings Department in the Ministry of Finance is currently working on a similar directive targeting financial institutions. However, the impact of such directives is currently limited only to a few specific regulated sectors.

 

The Government is also taking steps to regulate the local cyber-security market. Government Resolution No. 2443 set new standards for cyber professionals, their training and certification as well as the testing and approval of cyber products. Pursuant to Resolution No. 2443, in December 2015, the National Cyber Bureau published a policy paper on the regulation of cyber-security professions. This policy sets out a list of regulated professions, the professional knowledge and qualifications required under the various professions and the mechanism for implementing and enforcing such requirements (however, implementation of this policy would appear to require legislation). A proposed order relating to the export of cyber-security products was also published in the same month, with the goal of expanding the supervision on the export of cyber products from Israel. However, pursuant to the criticism voiced on the matter, especially from the local cyber industry, this initiative was abandoned and Israel is likely to continue to apply, with respect to such exports, the provisions of the Wassenaar Arrangement, which reflect the international standards with respect to the export of dual-use products.

 

Although, as mentioned above, Israeli regulators are working to promote cyber-security in the public sector and to set ground rules for the local cyber industry, Israel appears to be far behind other countries when it comes to the protection of its residents from data privacy risks. The main Israeli law that addresses this area is the Protection of Privacy Law, enacted in 1981 (the “Privacy Law”). This law reflects an outdated concept that data privacy may be protected by requiring organizations that store personal data to register their “databases” with the government, a technical process under which the organization is required to provide a few general details on the database, its intended use and the types of data it contains. The Privacy Law does not impose substantial duties on the controllers of such databases with respect to ensuring that personal data in such registered databases is protected. The protection of personal data in such registered databases is practically limited to a right of such individuals to be informed that providing information is subject to their consent and a right to review such information and a right to demand correction of inaccuracies.

 

Clearly, the Privacy Law was not meant to deal with today’s data-saturated reality, where every online store may hold personal information of tens or even hundreds of thousands of civilians. More specifically, the existing legal framework lacks basic elements that exist in modern data privacy laws in other countries, such as the requirement to inform the data subject and the relevant authorities in the event of a data breach or the setting of minimum data security standards that every controller of personal data would have to adhere to (the Privacy Law only provides a general statement that the owner, controller and manager of a database are responsible for protecting the data stored in such database).

Given the deficiencies described above, Israeli legislators and regulators should formulate a new legal framework consistent with the emerging international standards in the field of protection of data privacy and cyber-security. First, Israeli regulators should extend the list of public bodies or supervised bodies on which cyber-security duties have been imposed so far. Following the financial institutions, one can assume that the regulators will act to impose such requirements on medical institutions, local government and other public or semi-public entities. Additionally, it is safe to assume that the Israel Securities Authority (ISA) will also publish detailed cyber-security guidelines applicable to fund managers, portfolio management companies and other entities governed by it (so far the ISA has provided only general guidelines on the subject).

 

Second, Israel needs to significantly strengthen its legal framework pertaining to the protection of privacy in order to meet the evolving international standards in this area. It should compel companies that collect personal data to obtain explicit consent, from the data subject, to hold and use such information. Additionally, in cases of data breaches, companies should be required, within a reasonable time, to inform an authorized authority (for example, the authority of Law and Technology at the Ministry of Justice or Israeli Police) of data breaches that compromise personal data, as well as to notify the affected individuals when such breach could significantly harm them. Crafting this new legal framework is not merely a technical process; it also requires ethical and policy decisions to be made on the role of privacy and the proper balance between the right to privacy and other competing rights. Different countries hold different views as to how this balancing test should be applied. As part of this process, the Israeli legislator will further need to consider where she stands on legal concepts that have evolved in recent years, such as the “right to be forgotten” and the requirement of “privacy by design”. It is probable that if the legislature and local regulators do not act on their own initiative to formulate an updated legal framework addressing those issues, certain legal requirements may be imposed on Israel from outside (for example, in restrictions other countries impose on transferring personal data to Israel), and this may result in regulations that would not necessarily reflect the views of the Israeli legislator.

 

Concurrently with the imposition of new cyber-security and privacy-related requirements, the Government should also create incentives for sharing information, among companies, on cyber-attacks, and should further devote resources to educating the public on cyber-security and privacy related threats and on measures to mitigate such threats. Israel, a country with leading innovation in the field of cyber-security, can certainly become a global leader in privacy and cyber-related laws. Adopting a new legal framework in these areas, as described above, would be an important step towards promoting that goal.


Adv. Timor Belan (partner) and Adv. Assaf Harel lead Gornitzky & Co.’s Cyber Security, Privacy and

Data Protection Privacy practice.

October 29th, 2017

Assaf Harel offers 3 key takeaways from the recent Equifax data breach (Hebrew).

May 3rd, 2017

Timor Belan (Partner) and Assaf Harel (Associate) survey the new regulations and explain key takeaways for businesses operating in Israel (Hebrew).

November 8th, 2016

Regulators are imposing new cybersecurity requirements on financial institutions. Partner Timor Belan together with associates Assaf Harel and Shira Plotnik explain how this may affect the financial sector. 

In response to the increasing cybersecurity threats to the financial sector and considering the grave risks associated with such threats, regulators have introduced new cybersecurity requirements aimed at improving the protection of companies in the financial sector from such risks. This Client Update discusses two recent cybersecurity regulations that will affect financial institutions operating in the State of New York or in Israel – the proposed New York State Department of Financial Services (NYDFS) Cybersecurity Requirements for Financial Services Companies (the “Proposed Regulation”) and the Directive on the Management of Cyber Risks, published by the Israeli Ministry of Finance (the “Israeli Directive”). This Client Update also addresses guidelines recently issued by the Group of Seven Industrial Powers (“G-7”).

 

On September 13, 2016, the NYDFS published the Proposed Regulation which requires financial institutions (such as banks and insurance companies) regulated by the NYDFS, to implement a number of measures to protect their systems from misuse, disruption and unauthorized access. Such measures include, inter alia, establishing and maintaining a cybersecurity program; adopting a cybersecurity policy which is to be reviewed on an annual basis by the board of directors and approved by a senior officer of such financial institution; appointing a chief information security officer who will be responsible for implementing and enforcing the cybersecurity program; adopting and implementing policies for interactions with third parties (including the requirement of certain cyber-related representations and warranties from such third parties); and preparing a response and recovery plan for cybersecurity events.

Furthermore, the Proposed Regulation requires financial institutions to notify the superintendent of the NYDFS of cybersecurity events no later than 72 hours after becoming aware of the event, and to submit a certificate confirming compliance with the requirements under the Proposed Regulations to the superintendent on an annual basis.

 

Israel’s financial regulators have also taken important steps to promote cyber readiness and resilience among companies operating in the Israeli financial sector. On August 31, 2016, following the March 2015 publication of the Bank of Israel’s cybersecurity requirements applicable to banks and credit card companies, the Director of the Capital Market, Insurance and Savings Department in the Ministry of Finance of Israel issued the Israeli Directive, which applies to other financial institutions (such as insurance companies and companies managing provident funds and pension funds). The Israeli Directive imposes new requirements which are intended to promote the confidentiality, integrity and availability of sensitive information stored by such financial institutions, and to protect the proper function of their computer systems.

 

The Israeli Directive requires financial institutions to adopt a cybersecurity program and a policy which is to be approved by the board of directors on an annual basis; appoint a cybersecurity officer, who will oversee the cybersecurity program, implement a cybersecurity policy and guide the institution on cybersecurity in general; and to provide cybersecurity training to employees. Although the Israeli Directive requires financial institutions to notify the Ministry of Finance of cybersecurity events, in contrast to the NYDFS Proposed Regulation, it does not define a clear time frame for such notifications, but only states that such notifications shall be given “as soon as possible”. The Israeli Directive also stipulates that the CEO of the financial institution shall be responsible for the management of the institution’s cybersecurity risks and for allocating the proper resources in this regard.

 

Efforts to promote cybersecurity in the financial sector have also been made on an international level. On October 11, 2016, the G-7 issued a set of nonbinding cybersecurity guidelines to promote cybersecurity best practices in the financial sector (titled G-7 Fundamental Elements of Cybersecurity for the Financial Sector). Such guidelines are intended to assist financial private and public entities in developing and shaping their cybersecurity strategy, in order to address the growing number of cyber threats. The G-7 guidelines consist of eight elements: establishing a cybersecurity strategy and framework; governance setting; conducting risk and control assessment; establishing monitoring processes; implementing response policies; establishing recovery plans; information sharing with internal and external stakeholders; and continuous learning.

 

The NYDFS Proposed Regulation is open for public comments until November 12, 2016. If adopted in its current proposed form, it would become effective on January 1, 2017. The Israeli Directive will become effective in Israel on April 2, 2017.

 

Gornitzky’s Cyber-Security, Privacy and Data Protection team offers clients a well-rounded multidisciplinary approach to navigating the emerging regulatory and legal frameworks in the field of cyber security, privacy and data protection.

 

Download as PDF

 

For further information please contact: Timor Belan (Partner) (timorb@gornitzky.com), Assaf Harel (assafh@gornitzky.com) or Shira Plotnik (shirapl@Gornitzky.com)

* This client update is designed to provide general information only, is not a full or complete analysis of the matters presented, and may not be relied upon as legal advice.

June 7th, 2016

Client Update – The EU Data Protection Regulation Imposes New Requirements on Non-EU Companies and May Affect Your Non-EU Business By  Timor Belan (Partner) and Assaf Harel 

Client Update – The EU Data Protection Regulation Imposes New Requirements on Non-EU Companies and May Affect Your Non-EU Business

 

If your company markets products or services in the EU or applies online tracking techniques to individuals in the EU, the new EU General Data Protection Regulation (GDPR) may affect your business.

 

The GDPR, which was adopted on April 14, 2016, replaces the current EU Data Protection Directive (Directive 95/46/EC) and seeks to address new challenges brought by rapid technological developments, by providing a strong and coherent data protection framework, backed by strong enforcement.

 

This new regulation imposes new comprehensive requirements on non-EU companies that process personal data of data subjects in the EU in connection with the offering of goods or services in the EU or monitoring behavior of data subjects in the EU. For example, an Israeli company that directly markets its products in the EU, or that applies certain online tracking techniques to individuals in the EU, may be subject to the GDPR, even if it has no physical presence in the EU.

 

Among the requirements applicable to non-EU companies, are the obligations to:

  • provide data subjects with information on the purpose of data processing, the recipients of the data and additional information necessary to ensure fair and transparent processing (such as information on profiling of data subjects). This information should be provided in a concise, transparent, intelligible and easily accessible form, using clear and plain language, in particular for any information addressed specifically to children;
  • report data breaches to a “supervisory authority” (generally, within 72 hours after becoming aware of the breach), and in some cases to the data subjects themselves;
  • comply with demands of individuals to erase their personal data without undue delay (in concert with the concept of the “right to be forgotten”); and
  • in some cases, to appoint a representative in the EU.

Violation of certain provisions of the GDPR may lead to a fine of up to €20 million or 4% of the total worldwide turnover (whichever is higher).

 

Companies are provided a two-year transition period as the GDPR will become applicable from May 25, 2018. It will be applicable in all EU Member States, with no need for national legislation.

 

As mentioned above, the GDPR may be applicable to companies irrespective of whether they are physically present in the EU. Accordingly, businesses are encouraged to examine whether their activities fall within the scope of the GDPR and, if so, to use the transition period, until the GDPR becomes applicable, in order to ensure that their policies and practices are aligned with the requirements of the GDPR.

 

Gornitzky’s Cyber-Security, Privacy and Data Protection team offers clients a well-rounded multidisciplinary approach to navigating the emerging regulatory and legal frameworks in the field of cyber security, privacy and data protection.

 

 

For further information on these developments, please feel free to contact: Timor Belan (Partner), Assaf Harel (Associate)

 

Download as PDF

 

This client update is designed to provide general information only, is not a full or complete analysis of the matters presented, and may not be relied upon as legal advice.