The Israel Privacy Protection Authority (PPA) recently published a change in its policy on the timely reporting requirements for medium-level or high-level security database owners, upon the occurrence of a major data breach event in their databases. The PPA also amended its interpretation of the requirements set by Israeli privacy regulations on reporting data breach events immediately.
Since the regulations came into effect in May 2018, anyone who collects information in Israel must set a database’s security level. Owners of medium-level and high-level security database must immediately report major security events to the PPA.
Under the new interpretation, a medium-level or high-level security database owner must immediately report to the PPA any major data breach event, as well as the measures the database owner has taken to address and mitigate the event. This must occur within a 24-hour window of learning of the event. The above is in contrast with the timeline the PPA previously recommended, according to which reporting was required within 24 hours of learning of the major security event and no more than 72 hours after the event’s occurrence.
The reporting window was narrowed because of the recent proliferation of major data security events in Israel and worldwide.
Database managers (controllers) and database holders (processors) each have a separate duty to report, but a report by one of these sources (database owner, holder, or manager) is sufficient to discharge all three sources of their duty to report.
Note that in light of the PPA’s broad interpretation of the phrase “data security event” or “security event,” which also applies to potential harm to data and not only actual harm, the PPA’s position imposes an immediate duty to report even in cases in which there is a potential of a data security event and not a demonstrated event.
The PPA’s reporting form has also been modified, and it now requires completing many more details. These include reporting on the location of the servers on which the database was stored, if there is an insurance policy covering the event, the number and names of people authorized to access the data, and more.
How to prepare for the New Recommendations?
Considering the new interpretation, companies that hold databases must thoroughly review the contracts and agreements they signed with regard to data protection. They must also prepare for data security events ahead of time, both in terms of establishing procedures that comply with data security regulations and in terms of the PPA’s reporting recommendations.
