The connection between the legal duty to report a cyber-breach and the exposure to liability claims arising from a cyber-attack has already become common knowledge. In the past year, several developments occurred in the Israeli law increasing the duty to notify a cyber-breach, and thus the exposure to liability claims.
Until May 2018, the Israeli Law did not include a general duty to notify a party whose personal information was exposed during a cyber breach. Nevertheless, a limited duty to notify of a cyber event was set in directives which applied to banks and financial institutions and required them to notify the regulator in case of a cyber breach.
In May 2018 the Privacy Protection Regulations, 2017 came into force. The new regulations included a duty to report a “severe security event” to the Privacy Protection Authority. The Privacy Protection Authority was given the authority, after consulting with the National Cyber Protection Authority, to instruct the owner of a database which was attacked, to notify those whose information was exposed in the attack.
The term “Severe Security Event” is defined in the regulation as follows: In a database which is subject to a high level of security – a cyber event in which information included in the database was used or damaged; In a database which is subject to a medium level of security – a cyber event in which a significant part of the database was used or damaged.
The level of security required from a database, is determined in the regulations according to the number of people whose information is included in the database (generally, a database including information regarding more than 100,000 people requires a high level of security) the number of people who have authorized access to the database (generally, a database with more than 100 people authorized to access requires a high level of security) and the nature of the information held in the database.
On 21st October 2018, the Israeli Securities Authority (hereinafter: the ISA) published a Position Statement, according to which in cases of a significant cyber-attack, public companies are required to examine the need to issue an immediate report to the investors notifying them of the attack. According to this Position Statement an immediate report is required in cases where:
- As a result of the attack, the company could not operate for some time.
- The attack may influence the company’s activity. In case the database exposed is protected under the Privacy Laws, a reference to that is required.
- The company’s computer system was damaged, in such a way which has a material influence on the company’s activity.
- The company was required to pay a significant amount as ransom due to an attack.
- The company discovered that its computer systems were exposed to hostile parties.
- A vulnerability was discovered in products supplied/manufactured by the company.
While the ISA’s position was only meant to clarify the ISA’s view regarding the law and is not meant to change the legal situation, this position lights up the challenges involved in dealing with the occurrence of a cyber event. An Immediate Report regarding a cyber event in a public company increases the risk to liability claims which may be brought against the company and to derivative actions against its management.