The “Cyber Nation’s” Need for New Cyber Laws
The rise in the use of technologies that collect our personal data on a widespread and regular basis, combined with an increase in cyber-attacks on entities that collect and store such data are creating a significant threat to individual privacy worldwide. As a result, countries around the world have responded by updating their cyber regulations and privacy laws. While Israel is a global front-runner in the development of defensive cyber technologies, its legal framework pertaining to the protection of personal data appears to be outdated and insufficient in addressing contemporary threats to data privacy.
Israel’s regulatory efforts in the area of cyber-security, in the last couple of years, have been focused on two main objectives – (1) regulating cyber-security within governmental entities or regulated entities; and (2) regulating the provision of cyber-security services and products.
The Government of Israel has been working to promote cyber-resilience in the public sector. Government Resolution No. 2443, dated February 15, 2015, aims to do so by forming a new governmental cyber authority, allocating a cyber-security budget and imposing new cyber-related requirements on Government offices. In this context, the Government is working to establish a national CERT (Cyber Event Readiness Team), which will provide cyber-related support and guidance to entities in both the public and private sectors, as well as a Security Operations Center (SOC), which will be an intelligence-based entity focusing mainly on the protection of Government offices. Simultaneously, various Government regulators have been imposing cyber-related obligations on a growing group of regulated entities. For example, in September 2015 the Supervisor of the Banks issued a cyber-security directive to banks and credit card companies. The Director of the Capital Market, Insurance and Savings Department in the Ministry of Finance is currently working on a similar directive targeting financial institutions. However, the impact of such directives is currently limited only to a few specific regulated sectors.
The Government is also taking steps to regulate the local cyber-security market. Government Resolution No. 2443 set new standards for cyber professionals, their training and certification as well as the testing and approval of cyber products. Pursuant to Resolution No. 2443, in December 2015, the National Cyber Bureau published a policy paper on the regulation of cyber-security professions. This policy sets out a list of regulated professions, the professional knowledge and qualifications required under the various professions and the mechanism for implementing and enforcing such requirements (however, implementation of this policy would appear to require legislation). A proposed order relating to the export of cyber-security products was also published in the same month, with the goal of expanding the supervision on the export of cyber products from Israel. However, pursuant to the criticism voiced on the matter, especially from the local cyber industry, this initiative was abandoned and Israel is likely to continue to apply, with respect to such exports, the provisions of the Wassenaar Arrangement, which reflect the international standards with respect to the export of dual-use products.
Although, as mentioned above, Israeli regulators are working to promote cyber-security in the public sector and to set ground rules for the local cyber industry, Israel appears to be far behind other countries when it comes to the protection of its residents from data privacy risks. The main Israeli law that addresses this area is the Protection of Privacy Law, enacted in 1981 (the “Privacy Law”). This law reflects an outdated concept that data privacy may be protected by requiring organizations that store personal data to register their “databases” with the government, a technical process under which the organization is required to provide a few general details on the database, its intended use and the types of data it contains. The Privacy Law does not impose substantial duties on the controllers of such databases with respect to ensuring that personal data in such registered databases is protected. The protection of personal data in such registered databases is practically limited to a right of such individuals to be informed that providing information is subject to their consent and a right to review such information and a right to demand correction of inaccuracies.
Clearly, the Privacy Law was not meant to deal with today’s data-saturated reality, where every online store may hold personal information of tens or even hundreds of thousands of civilians. More specifically, the existing legal framework lacks basic elements that exist in modern data privacy laws in other countries, such as the requirement to inform the data subject and the relevant authorities in the event of a data breach or the setting of minimum data security standards that every controller of personal data would have to adhere to (the Privacy Law only provides a general statement that the owner, controller and manager of a database are responsible for protecting the data stored in such database).
Given the deficiencies described above, Israeli legislators and regulators should formulate a new legal framework consistent with the emerging international standards in the field of protection of data privacy and cyber-security. First, Israeli regulators should extend the list of public bodies or supervised bodies on which cyber-security duties have been imposed so far. Following the financial institutions, one can assume that the regulators will act to impose such requirements on medical institutions, local government and other public or semi-public entities. Additionally, it is safe to assume that the Israel Securities Authority (ISA) will also publish detailed cyber-security guidelines applicable to fund managers, portfolio management companies and other entities governed by it (so far the ISA has provided only general guidelines on the subject).
Second, Israel needs to significantly strengthen its legal framework pertaining to the protection of privacy in order to meet the evolving international standards in this area. It should compel companies that collect personal data to obtain explicit consent, from the data subject, to hold and use such information. Additionally, in cases of data breaches, companies should be required, within a reasonable time, to inform an authorized authority (for example, the authority of Law and Technology at the Ministry of Justice or Israeli Police) of data breaches that compromise personal data, as well as to notify the affected individuals when such breach could significantly harm them. Crafting this new legal framework is not merely a technical process; it also requires ethical and policy decisions to be made on the role of privacy and the proper balance between the right to privacy and other competing rights. Different countries hold different views as to how this balancing test should be applied. As part of this process, the Israeli legislator will further need to consider where she stands on legal concepts that have evolved in recent years, such as the “right to be forgotten” and the requirement of “privacy by design”. It is probable that if the legislature and local regulators do not act on their own initiative to formulate an updated legal framework addressing those issues, certain legal requirements may be imposed on Israel from outside (for example, in restrictions other countries impose on transferring personal data to Israel), and this may result in regulations that would not necessarily reflect the views of the Israeli legislator.
Concurrently with the imposition of new cyber-security and privacy-related requirements, the Government should also create incentives for sharing information, among companies, on cyber-attacks, and should further devote resources to educating the public on cyber-security and privacy related threats and on measures to mitigate such threats. Israel, a country with leading innovation in the field of cyber-security, can certainly become a global leader in privacy and cyber-related laws. Adopting a new legal framework in these areas, as described above, would be an important step towards promoting that goal.