English
עברית
Français
Deutsch
Русский
Español
简体中文
日本語
Dutch
Türkçe
Language
English
עברית
Français
Deutsch
Русский
Español
简体中文
日本語
Dutch
Türkçe
Home
About us
About us
CV at a glance
Global reach
Pro Bono
What we do
Practice area
The team
Knowledge center
Insights & News
Client updates
Credentials
Doing business in Israel
Join us
Contact
Barnea Blog
© All rights reserved to Barnea Jaffa Lande Law offices

Together is powerful

Client updates
17 September 2024
by Avishay Klein
Masha Yudashkin
         
Antitrust and Competition
Banking & Finance
Capital Markets
Corporate
Employment
High Tech
Infrastructure
Internet
Litigation
NPO
Private Clients
Real Estate
Regulation
Tax

Board of Director’s responsibility for data security in a company

The Israeli Privacy Protection Authority recently published a binding directive addressing the board of director’s responsibilities for the fulfillment of a company’s obligations prescribed in the Privacy Protection Regulations (Data Security). This directive, which has now just come into effect after having received public comments, expands and clarifies the responsibilities imposed on a board of directors with regard to privacy protection and data security.

 

The directive for the first time states  that the board of directors bears full responsibility for data security in a company and, in the event of a violation of the binding rules, the company will be exposed to a fine of NIS 320 thousand per violation.

Applicability of the directive

This latest directive of the Privacy Protection Authority focuses on corporations engaging primarily in the processing of personal information, or corporations whose business activities could give rise to heightened privacy risks. Examples of these corporations include:

  • Cellular companies and companies that collect location data
  •  Banking corporations and insurance companies
  • ŸCompanies engaging in the field of medicine
  • ŸMajor retailers
  • Manpower companies and screening institutes engaging in personal evaluations.

 

In order to ascertain whether the directive’s provisions apply to ones corporation, one needs to analyze, inter alia, the corporation’s characteristics (private or public company), the type and sensitivity of the information being processed, the volume of information being collected and the number of employees authorized to access this information. For example: corporations that collect a significant volume of economic or medical information during their routine operations, will be subject to the directive.

 

The board of directors’ responsibility for implementing the regulations

According to the Authority’s directive, since the board of directors is one of the company’s organs responsible for data security, it is responsible for supervising and ensuring that the company is complying with the provisions of the law and regulations, and for setting an organizational policy in this regard. The board of directors is also required to be involved specifically in fulfilling the requirements and even to be among the decision-makers.

 

Accordingly, the directive states that the board of directors is responsible for fulfilling five key obligations prescribed in the regulations:

  • ŸThe board must approve a database definition document, which must include, inter alia: a description of the activities of collecting and using the information; a description of the purposes for using the information; the various types of information included in the database; etc.
  • ŸThe board must discuss the key principles of the organizational data security procedure. This procedure must include instructions regarding the physical and environmental security of the database; database access authorizations; a description of measures that must be taken to protect the database, how to contend with data security incidents; etc.
  • ŸThe board must hold a quarterly or annual discussion (depending on the security level of the database) of data security incidents in the corporation, including ascertaining whether there is a need to revise the organizational data security procedure.
  • ŸThe board must supervise the holding of a discussion of the results of a risk review and of penetration tests and must approve the actions required to rectify the deficiencies discovered (in relation to databases requiring a high level of security).
  • ŸThe board must hold a discussion of the results of the periodic audit (once every two years for medium- and high-security databases) concerning compliance with the regulations.

Other key provisions of the directive

  • The directive also refers to Amendment No. 13 to the Privacy Protection Law, which was recently approved by the Knesset and is expected to come into effect in August 2025. The Amendment inter alia defines a new category of “highly sensitive information,” which affects the height of the financial sanctions that will be imposed in the event of a violation; obligates companies to appoint a privacy protection officer; and obligates companies to register databases and report their existence to the Privacy Protection Authority.
  • The directive recognizes that, in appropriate instances, the board of directors will be allowed to delegate its responsibilities to another entity in the company, taking into consideratoin the degree of privacy risk involved in the company’s activities, its size and the composition of the board of directors. Nevertheless, even in such situations, the board of directors will nonetheless be obligated to actually supervise fulfillment of the regulatory requirements.
  • ŸThe directive clarifies that the board of directors’ obligations are designed to be supplementary to and do not diminish the responsibilities imposed on, the company’s management, its CEO or any other officer responsible for regulatory compliance in the company. Furthermore, the directive could form the basis for derivative suits that maybe filed by shareholders against directors.
  • Finally, the directive states that one of the key measures through which the board of directors may fulfill its supervisory obligation is the adoption of an effective internal enforcement program. Such a program should include mechanisms for controlling, reporting and supervising the implementation of the provisions of the laws and regulations governing privacy protection and data security.

 

Measures that should be taken

In order to mitigate the risk that personal liability might be imposed on directors in respect of their obligations under the regulations – whether during enforcement proceedings by the Privacy Protection Authority or as a result of personal or derivative lawsuits –  the company and the board of directors should familiarize themselves with the obligations imposed on them pursuant to the privacy protection laws. They must also take measures to actually fulfill their obligations as directors.

In order to fulfill the applicable data security obligations as stated, companies should consider implementing several measures:

 

  • provide training sessions for board members on privacy protection and data security;
  • remap the databases in their possession in order to classify them in conformity with the provisions of the Privacy Protection Regulations (Data Security);
  • update the assessment of the data security risks that the company faces;
  • update and revise the company’s data security procedures pertaining to security incidents;
  •  ensure that the company’s internal control systems comply with the revised provisions;
  • Ÿconsider appointing a professional advisor to the board on matters pertaining to privacy protection and data security.

 

 

***

 

Barnea Jaffa Lande’s privacy, cyber and AI department is at your service to answer any questions concerning maintaining privacy protection and data security, building compliance programs, etc.

Dr. Avishay Klein is a partner at Barnea Jaffa Lande and heads the department.
Adv. Masha Yudashkin is an associate in the department.