Acting Head of Israeli PPA: Data Breach Incidents - the New Battlefield

Data breach incidents, including ransom demand incidents, are growing increasingly common. They emphasize the importance of data protection measures and compliance with the Protection of Privacy law and the Information Security Regulations. Organizations need to consider whether to discard some of the information in order to reduce the risk in advance. These were the statements of the acting head of the Israeli Privacy Protection Authority, Dr. Shlomit Wagman, in an online meeting discussing the appointment of privacy/data protection officers in organizations.

Although Dr. Wagman refrained from identifying specific security incidents, her remarks were made amid the data breach incidents at the Israeli insurance company Shirbit, Habana Labs, Amital, and dozens of supply companies. 

According to Dr. Wagman, information security incidents increasingly become the new battlefield. She indicated the operative tools available to the Privacy Protection Authority in dealing with these incidents include the following:

 Administrative enforcement against the company that sustained a severe security incident. 

  • Criminal enforcement actions against the company, its directors and owners, depending on the severity of the circumstances. 
  • Criminal proceedings against the hacker (law.co.il notes that the hacker first needs to be apprehended, yet the investigating authorities do not excel in tracking down hackers). 
  • Cancelling or suspending the registration of the database, such that "it is not possible to operate the business until the suspension is lifted. We find this to be a very powerful tool”, said Dr. Wagman.
  • The database owner can be compelled to notify data subjects about the incident. This step was taken in the Shirbit incident, to allow the victims to take precautions and minimize the potential damage due to the breach of their data. According to Dr. Wagman, this is a powerful tool that makes organizations really consider in advance how they ought to protect the information, so that they do not face situations that could implicate the organization's reputation and attract civil lawsuits. 
  • The Authority can approve or withhold approval the reconnection of the databases to external systems, only after it is convinced that the company has taken adequate steps to repair the security vulnerability that facilitated the incident. According to the Authority's acting head, "sometimes an incident send a signal to hackers to continue to penetrate the systems, and we want to prevent this." 
  • The Authority may give company employees instructions and guidelines to ensure that they are not as a source of additional compromised information by way of social engineering. 

Alongside these, Dr. Wagman said that the Authority views class action lawsuits and civil lawsuits against those who violated the information security obligation as a very effective industry mechanism. Law.co.il notes that within two days of Shirbit announcing its data breach, four class action lawsuit were filed against the company.