Do you have to Manage Security Incidents and Report Data Breaches?

Under the Protection of Privacy Regulations (Data Security) 5777-2017, a security incident is defined as an event that raises concern about a breach of the data integrity, an unauthorized use thereof, or use that exceeds authorization. Database controllers have four obligations concerning Security Incidents: 

  • They must document security incidents, based as much as possible on automatic records (e.g., event logs);
  • They must create a security incident management process and include it in the organization’s information security procedure (See: “What is the Information Security Procedure?”); 
  • They need to conduct periodical security incident discussions (on an annual basis if the medium security level applies, or on a quarterly basis if the high-security level applies). Under the regulations, databases under the basic security level are exempt (See: “What are Database Information Security Levels”); 
  • Immediately report a severe security incident to the Privacy Protection Authority (PPA). A severe security incident means: (a) In a database subject to high-security level – any incident involving unauthorized use or damage to the data integrity; (b) In a database subject to medium security level – an incident involving unauthorized use of substantial part of the database or damage to the data integrity with respect to a substantial part of the database. Incidents in a database subject to the basic security level are exempt from notifications. 

The duty to report the incident lies with both database owners and holders. If the incident occurred within the database holder’s purview, it is for the database owner and holder to decide between them about the party who will notify the Privacy Protection Authority (PPA) about the incident. 

There is no mandatory requirement to notify the incident to the affected individuals. The Privacy Protection Authority (PPA), after consultation with the National Cyber Directorate, can order the notifying entity to send a notification to the affected individuals. er Directorate, can order the notifying entity to send a notification to the affected data subjects. 

Please note: The information provided in this content is for informational purposes only and does not constitute legal advice. It is not intended to create an attorney-client relationship. If you have any questions, please contact us at: [email protected]