Pr-Hof Law

A Leading Technology, Data Protection & Cyber Law Firm

Do you have to Manage Security Incidents and Report Data Breaches?

Under the Protection of Privacy Regulations (Data Security) 5777-2017, a Security Incident is defined as an event that raises concern about a breach of the data integrity, an unauthorized use thereof, or use that exceeds authorization. Database owners have four obligations concerning Security Incidents: 

  • They must document Security Incidents, based as much as possible on automatic records (e.g., event logs);
  • They must create a Security Incident management process and include it in the organization’s information security procedure (See: “What is the Information Security Procedure?”); 
  • They need to conduct periodical Security Incident discussions (on annual basis if the medium security level applies, or on quarterly basis if the high security level applies) under the Regulations. Databases under the basic security level are exempt (See: “What are Database Information Security Levels”); 
  • Report a Severe Security Incident to the Privacy Protection Authority. a Severe Security Incident means: (a) In a database subject to high security level – any incident involving unauthorized use or damage to the data integrity; (b) In a database subject to medium security level – an incident involving unauthorized use of substantial part of the database or damage to the data integrity with respect to a substantial part of the database. Incidents in a database subject to the basic security level are exempt from notifications. 

The duty to report the incident lies with both Database owners and holders. If the incident occurred within the database holder’s purview, it is for the database owner and holder to decide between them about the party who will notify the Privacy Protection Authority about the incident. 

Notification is mandatory within 24 to 72 hours after being aware of the incident. 

There is no mandatory requirement to notify the incident to data subjects. The Privacy Protection Authority, after consultation with the National Cyber Directorate, can order the notifying entity to send a notification to the affected data subjects.